First version: 2021-05-13
Last updated: 2023-10-25
Last change(s): Added links to GDPR compliance assessment, Data Handling policy, GDPR Article 5; Modified contact information; Substituted Azure DRE for myDRE; Formatting.
Classification: Low
Purpose
anDREa B.V. (hereafter called anDREa) is committed to protect the data and privacy of all stakeholders. For the use of myDRE, anDREa has performed a
GDPR Compliance Assessment. This displays what evidence myDRE can provide and what the user should provide to be GDPR-compliant.
The purpose of this document is to describe anDREa’s Data Protection policy. It is to be read combined with the
Data Handling policy.
This document will be updated at least annually and when significant change happens to the relevant areas covered.
Definitions
Scope & governance
The following only applies to myDRE user information and might be restricted due to our duty to provide demonstrable evidence through logging.
In the services anDREa offers:
Type of data | anDREa | Tenant/Accountable |
User Account data | Processor** | n/a |
Data in Workspaces | Processor | Controller |
**Because anDREa operates on instruction of its Tenants, including but not limited to, collecting and storing user actions, anDREa is also Processor for user related data.
The Six GDPR Principles
anDREa is fully committed to
Article 5 of the GDPR and thus with respect to personal data, anDREa will ensure data is:
(a) processed lawfully, fairly and in a transparent manner in relation to individuals (‘lawfulness, fairness and transparency’);
(b) collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes; further processing for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes shall not be considered to be incompatible with the initial purposes (‘purpose limitation’);
(c) adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimization’);
(d) accurate and, where necessary, kept up to date; every reasonable step must be taken to ensure that personal data that are inaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay (‘accuracy’);
(e) kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data are processed; personal data may be stored for longer periods insofar as the personal data will be processed solely for archiving purposes in the public interest, scientific or historical research purposes or statistical purposes subject to implementation of the appropriate technical and organizational measures required by the GDPR in order to safeguard the rights and freedoms of individuals (‘storage limitation’);
(f) processed in a manner that ensures appropriate security of the personal data, including protection against unauthorized or unlawful processing and against accidental loss, destruction or damage, using appropriate technical or organizational measures (‘integrity and confidentiality’).”
Data subject rights
We would like to make sure you are fully aware of all of your data protection rights. Every user is entitled to the following:
- The right to be informed – You have the right to request copies of your personal data. We may charge you a small fee for this service.
- The right to access – You have the right to request copies of your personal data. We may charge you a small fee for this service.
- The right to rectification – You have the right to request that we correct any information you believe is inaccurate. You also have the right to request that we complete the information you believe is incomplete.
- The right to erasure – You have the right to request that we erase your personal data, under certain conditions.
- The right to restrict processing – You have the right to request that we restrict the processing of your personal data, under certain conditions.
- The right to object to processing – You have the right to object to our processing of your personal data, under certain conditions.
- The right to data portability – You have the right to request that we transfer the data that we have collected to another organization, or directly to you, under certain conditions.
- Rights related to automated decision making including profiling – You are permitted to challenge and request a review of the processing if they believe the rules aren’t being followed.
The above only applies to:
myDRE user information and might be restricted due to our duty to provide demonstrable evidence through logging.
The above does not apply to:
Data processed within a Workspace:
- Falls under the responsibility of the Tenant or Accountable of the particular workspace.
Contact anDREa for requests regarding the above:
- Goto https://support.mydre.org/portal/en/myarea
- If needed, please create an account first
- Click Add ticket
- Click anDREa Organization
- Fill in the details and submit the ticket.
Though data within Workspaces are not our responsibility, feel free to contact us so that we can get you in touch with the controller of that data.